Below is the rule set for an OpenBSD transparent firewall to protect servers on the same switch from unauthorized hosts on the local network. This ruleset assumes that there is a network firewall in place and only filters on MAC addresses of the local network clients and devices.
The firewall is setup with three network interfaces and sits between the server room network access port and the switch for the server room. The third interface is needed for remote ssh access and is plugged into a regular port on the switch.
Here is a link to my old post on MAC filtering using a Bridge and Packet Tagging
#############################################################
# Macros and Tables
#############################################################
# Interfaces
switch_if = "bge0"
nap_if = "bge1"
ssh_if = "em0"
############################################################
# Logging, Timeouts, Limits, Interface skips, Scrubs
############################################################
# Set logging interface
set loginterface $nap_if
# Revised - Adaptive Set higher state limits
set timeout { adaptive.start 10000, adaptive.end 110000 }
set limit states 100000
set timeout interval 10
# Normalize all incoming/outgoing traffic to prevent malformed packets
match in all scrub (no-df)
# Don't filter on loopback interface or ssh_if
set skip on lo0
set skip on em0
###########################################################
# Rules
###########################################################
# Block Traffic from Unauthorized Hosts into Servers
block in log on $nap_if all label "block in"
# Allow All Traffic on Switch Interface
pass in quick on $switch_if all
pass out quick on $switch_if all
# Allow All Traffic From Servers Behind Switch to Rest of Network
pass out quick on $nap_if all
# Allow Traffic from Known Good Mac Addresses into Servers
pass in quick on $nap_if all tagged goodmac
# Allowing Broadcast UDP into Servers
pass in quick on $nap_if proto udp to any port { 67 68 137 138 1900 3702 }
No comments:
Post a Comment